When I first started in the computer business, the only books were manuals
published by vendors. Well, maybe there were a few books for sale, but not
very many. This made it difficult to figure out problems, especially when
I had experiences such as a co-worker salesman who told me that "We are
not in the documentation business." We were working for a computer
vendor. I moved on expecting the company would have difficulty within a
few years. It did. The point of this story is that the need for technical
details has always been important in a technical world. It has been most
satisfying to see the publishing industry provide good books to fill
the void. There is still a problem, however. As technical books appear and
new disciplines are created, new people pop into view. Many are new to the
field and need to catch up because they do not know the history.

Computer forensics is one of those rediscovered fields. By and large,
forensics done on a computer involves the disk [ed. disk == hard drive].
Yes, volatile memory and hardware memory are important, but the bulk
of the work will be pulling out information from one or more disks. In
the early days, besides being really small, disk were documented in a
so-so manner. If you worked closely with them, you learned. As
computers spread to the desktop and the desktop was Microsoft
territory, most users did not pay attention to the disk details. Thus
the structure, operation and drivers were forgotten. This all changed
around 2000, when Law Enforcement realized just how much evidence was
on these disks. Computer forensics has now become a important career
unto itself. The forensics cases I am aware of tend to use packages,
for example EnCase in the commercial space, and some great open source
packages. Prosecutors tend to analyze a case quickly because they are
busy and the case load only goes up. The need for real expertise has
been diminished somewhat, due in part to the lack of sophistication on
the criminal end.

While the good forensics books are good, they do not go into the details
of disks that Carrier does. He is not focusing on forensics as much as he
is focusing on file systems and disk structure. I like this book because
he is sticking to the expertise end of the game. Gathering the details of
the file systems to be presented was not a trivial task. Mastering them so
that they could be explained so well had to have been even more difficult.
Naturally Carrier spends time with disk acquisition and investigation as a
preface to the real technical work. He also includes information on two
packages The Sleuth Kit and Autopsy, two very nice, free packages written
by him. I use them in my security class for the forensics section.
Criminals are getting much more sophisticated. Today's computer forensics
specialist need to be just as sophisticated.

The book completely covers FAT, NTFS, Ext2, Ext3, USF1 and USF2. I highly
recommend this book for forensics specialists, but also for anyone who
wants a proper look at disks. We can all benefit from Carrier's expertise.